b"            EVALUATION REPORT\n\n\n\n                 Evaluation of NRC\xe2\x80\x99s Automated Information\n                          System Inventory Process\n\n                     OIG-05-A-22      September 30, 2005\n\n\n\n\nAll publicly available OIG reports (including this report) are accessible through\n                              NRC\xe2\x80\x99s Web site at:\n             http:/www.nrc.gov/reading-rm/doc-collections/insp-gen/\n\x0c                                         September 30, 2005\n\n\n\n\nMEMORANDUM TO:             Luis A. Reyes\n                           Executive Director for Operations\n\n\n\nFROM:                      Stephen D. Dingbaum/RA/\n                           Assistant Inspector General for Audits\n\n\nSUBJECT:                   EVALUATION OF NRC\xe2\x80\x99S AUTOMATED\n                           INFORMATION SYSTEM INVENTORY PROCESS\n                           (OIG-05-A-22)\n\n\nAttached please find the Office of the Inspector General\xe2\x80\x99s report Evaluation of\nNRC\xe2\x80\x99s Automated Information System Inventory Process. Richard S. Carson\nand Associates, Inc., conducted this evaluation on our behalf and found that:\n\n   \xc2\xbe Information in NRC automated information system (AIS) inventories is\n     inaccurate and inconsistent.\n   \xc2\xbe NRC AIS inventory systems are not designed to capture all of the data\n     needed to meet Federal requirements.\n\nDuring an exit conference on September 21, 2005, NRC officials provided\ncomments concerning the draft audit report, generally agreeing with the report\ncontents. Subsequently, the agency elected not to submit formal written\ncomments to this report.\n\nIf you have any questions or wish to discuss this report, please call me at\n415-5915 or Beth Serepca at 415-5911.\n\nAttachment: As stated\n\x0cDistribution\n\nJohn T. Larkins, Executive Director, Advisory Committee on Reactor\n Safeguards/Advisory Committee on Nuclear Waste\nG. Paul Bollwerk, III, Chief Administrative Judge, Atomic Safety andT\n Licensing Board Panel\nKaren D. Cyr, General Counsel\nJohn F. Cordes, Jr., Director, Office of Commission Appellate Adjudication\nJesse L. Funches, Chief Financial Officer\nJanice Dunn Lee, Director, Office of International Programs\nWilliam N. Outlaw, Director of Communications\nWilliam N. Outlaw, Acting Director, Office of Congressional Affairs\nEliot B. Brenner, Director, Office of Public Affairs\nAnnette Vietti-Cook, Secretary of the Commission\nWilliam F. Kane, Deputy Executive Director for Reactor\n  and Preparedness Programs, OEDO\nMartin J. Virgilio, Deputy Executive Director for Materials, Research,\n  State and Compliance Programs, OEDO\nJacqueline E. Silber, Deputy Executive Director for Information Services\n   and Administration, and Chief Information Officer, OEDO\nWilliam M. Dean, Assistant for Operations, OEDO\nTimothy F. Hagan, Director, Office of Administration\nMichael R. Johnson, Director, Office of Enforcement\nGuy P. Caputo, Director, Office of Investigations\nEdward T. Baker, Director, Office of Information Services\nJames F. McDermott, Director, Office of Human Resources\nCorenthis B. Kelley, Director, Office of Small Business and Civil Rights\nJack R. Strosnider, Director, Office of Nuclear Material Safety and Safeguards\nJames E. Dyer, Director, Office of Nuclear Reactor Regulation\nCarl J. Paperiello, Director, Office of Nuclear Regulatory Research\nPaul H. Lohaus, Director, Office of State and Tribal Programs\nRoy P. Zimmerman, Director, Office of Nuclear Security and Incident Response\nSamuel J. Collins, Regional Administrator, Region I\nWilliam D. Travers, Regional Administrator, Region II\nJames L. Caldwell, Regional Administrator, Region III\nBruce S. Mallett, Regional Administrator, Region IV\n\x0c                    Office of the Inspector General\n                          Evaluation of NRC\xe2\x80\x99s\n            Automated Information System Inventory Process\n\n\n\n\n                             Contract Number: GS-00F-0001N\n                           Delivery Order Number: DR-36-03-346\n\n                                                 September 30, 2005\n\n\n\n\nThe views, opinions, and findings contained in this report are those of the authors and should not be construed as an official Nuclear Regulatory\n                       Commission position, policy, or decision, unless so designated by other official documentation.\n\x0c[Page intentionally left blank]\n\x0c                                                              Evaluation of NRC\xe2\x80\x99s AIS Inventory Process\n\n\n\nEXECUTIVE SUMMARY\n\n\nBACKGROUND\n\n      On December 17, 2002, the President signed the E-Government Act of 2002, which\n      included the Federal Information Security Management Act (FISMA) of 2002. FISMA\n      outlines the information security management requirements for agencies, including the\n      requirement to develop and maintain an inventory of major information systems operated\n      by or under control of the agency. The inventory must include an identification of the\n      interfaces between each such system and all other systems or networks, including those\n      not operated by or under the control of the agency, and must be updated at least annually.\n      The inventory shall also be used to support information resources management.\n\n      Management Directive (MD) and Handbook 12.5, NRC Automated Information Security\n      Program, assigns the NRC Chief Information Officer (CIO) responsibility for developing\n      and maintaining a master inventory of all agency systems. MD and Handbook 2.1,\n      Information Technology Architecture, assigns the NRC CIO responsibility for\n      developing, maintaining, and implementing the NRC Information Technology\n      Architecture (ITA). The agency maintains two inventories, the Information Technology\n      Systems Security Tracking System (ITSSTS) and the Enterprise Architecture Repository\n      System (EARS), to meet the requirements outlined in MD and Handbooks 12.5 and 2.1,\n      respectively.\n\nPURPOSE\n\n      The objective of this review was to evaluate NRC\xe2\x80\x99s process for maintaining an inventory\n      of automated information systems (AIS).\n\nRESULTS IN BRIEF\n\n      Carson Associates evaluated NRC\xe2\x80\x99s AIS inventory process and found that:\n\n          \xe2\x80\xa2   Information in NRC AIS inventories is inaccurate and inconsistent.\n          \xe2\x80\xa2   NRC AIS inventory systems are not designed to capture all of the data needed to\n              meet FISMA requirements.\n\n      Information in NRC AIS Inventories Is Inaccurate and Inconsistent\n\n      Despite the requirements outlined in MD and Handbooks 12.5 and 2.1 for maintaining\n      AIS inventories, the information in NRC AIS inventories is inaccurate and inconsistent\n      because the procedures for maintaining and updating AIS inventories are inadequate.\n      The lack of adequate procedures not only results in the inaccurate and inconsistent data,\n      but also results in duplicative efforts for NRC offices. As a result of inaccurate and\n      inconsistent data in the AIS inventories, the agency lacks a complete understanding of\n      what AISs are currently in use, and therefore cannot support two of the five areas of\n\n\n                                               i\n\x0c                                                             Evaluation of NRC\xe2\x80\x99s AIS Inventory Process\n\n\n\n     information resources management specified by FISMA. Without knowing what\n     information technology is in place, the agency cannot adequately plan, budget, acquire,\n     and manage information. The agency also cannot adequately monitor, test, and evaluate\n     security controls for AISs as required by FISMA.\n\n     NRC Automated Inventory Systems Are Not Designed to Capture All of the Data\n     Needed to Meet FISMA Requirements\n\n     As stated previously, FISMA requires development of an inventory of major information\n     systems that shall be used to support five areas of information resources management.\n     However, neither ITSSTS nor EARS were designed to capture all of the data needed to\n     fully meet these requirements. For example, only one inventory system captures the data\n     needed to indicate which systems include Privacy Act data, and not all systems that\n     include Privacy Act data are correctly identified. The agency cannot provide effective\n     privacy protections, and cannot test and evaluate those protections, if it cannot identify\n     which systems contain Privacy Act data. In addition, neither inventory system captures\n     the data needed to support (1) preparation and maintenance of the inventory of\n     information resources required to support the Government Information Locator Service,\n     (2) preparation of the index of major information systems required under the Freedom of\n     Information Act, and (3) preparation of information system inventories required for\n     records management.\n\nRECOMMENDATIONS\n\n     This report makes recommendations to the Executive Director for Operations to improve\n     the NRC AIS inventory process. A consolidated list of recommendations appears on\n     page 13 of this report.\n\nAGENCY COMMENTS\n\n     The Office of the Inspector General (OIG) provided this report in draft to agency officials\n     and discussed its content at an exit conference on September 21, 2005. We modified the\n     report as we determined appropriate in response to our discussion. Agency officials\n     generally agreed with the report\xe2\x80\x99s findings and recommendations and opted not to include\n     formal comments.\n\n\n\n\n                                              ii\n\x0c                                                         Evaluation of NRC\xe2\x80\x99s AIS Inventory Process\n\n\n\nABBREVIATIONS AND ACRONYMS\n\n\nAIS                 Automated Information System\nCarson Associates   Richard S. Carson and Associates, Inc.\nCIO                 Chief Information Officer\nEARS                Enterprise Architecture Repository System\nFISMA               Federal Information Security Management Act\nFY                  Fiscal Year\nGSS                 General Support System\nITA                 Information Technology Architecture\nITIM                Information Technology Investment Management\nITSSTS              Information Technology Systems Security Tracking System\nMA                  Major Application\nMD                  Management Directive\nNIST                National Institute of Standards and Technology\nNRC                 Nuclear Regulatory Commission\nNSTS                National Source Tracking System\nOIG                 Office of the Inspector General\nOIS                 Office of Information Services\nPASS                Property and Supply System\nRPS                 Reactor Program System\nSP                  Special Publication\nU.S.C               United States Code\n\n\n\n\n                                           iii\n\x0c                              Evaluation of NRC\xe2\x80\x99s AIS Inventory Process\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              iv\n\x0c                                                                                   Evaluation of NRC\xe2\x80\x99s AIS Inventory Process\n\n\n\nTABLE OF CONTENTS\n\n\nExecutive Summary ....................................................................................................... i\n\n1 Background .............................................................................................................. 1\n\n2 Purpose .................................................................................................................... 4\n\n3 Findings.................................................................................................................... 4\n    3.1     Information in NRC AIS Inventories Is Inaccurate and Inconsistent .......... 4\n    3.2     NRC AIS Inventory Systems Are Not Designed To Capture All of the\n            Data Needed To Meet FISMA Requirements ............................................... 11\n4 Consolidated List of Recommendations ............................................................. 13\n\n5 OIG Response to Agency Comments .................................................................. 14\n\n\nAppendices\n\n    Appendix A: Scope and Methodology ............................................................... 15\n    Appendix B: 2003 Validation Report .................................................................. 17\n    Appendix C: 2005 Validation Report .................................................................. 19\n\n\n\n\n                                                               v\n\x0c                              Evaluation of NRC\xe2\x80\x99s AIS Inventory Process\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              vi\n\x0c                                                                            Evaluation of NRC\xe2\x80\x99s AIS Inventory Process\n\n\n\n1        Background\n\nOn December 17, 2002, the President signed the E-Government Act of 2002, which included\nFISMA.1 FISMA outlines the information security management requirements for agencies,\nincluding the requirement to develop and maintain an inventory of major information systems\noperated by or under the control of the agency. The inventory must include an identification of\nthe interfaces between each such system and all other systems or networks, including those not\noperated by or under the control of the agency. The inventory is required to be updated at least\nannually. The inventory shall be used to support information resources management, including:\n\n    \xe2\x80\xa2    Preparation and maintenance of the inventory of information resources required to\n         support the Government Information Locator Service.2\n    \xe2\x80\xa2    Information technology planning, budgeting, acquisition, and management.\n    \xe2\x80\xa2    Monitoring, testing, and evaluation of information security controls.\n    \xe2\x80\xa2    Preparation of the index of major information systems required under the Freedom of\n         Information Act.\n    \xe2\x80\xa2    Preparation of information system inventories required for records management.\n\nNRC AIS Categories\n\nNRC uses four categories to describe its AISs, as follows:\n\n    \xe2\x80\xa2    Major Application (MA) \xe2\x80\x93 a computerized information system or application that\n         requires special attention to security because of the risk and magnitude of harm that\n         would result from the loss, misuse, or unauthorized access to or modification of the\n         information in the application.\n    \xe2\x80\xa2    General Support System (GSS) \xe2\x80\x93 an interconnected set of information resources under\n         the same direct management control that share common functionality. Typical GSSs are\n         local and wide area networks, servers, and data processing centers.\n    \xe2\x80\xa2    Listed \xe2\x80\x93 a computerized information system or application that (1) processes sensitive\n         information requiring additional security protections and (2) may be important to an NRC\n         office\xe2\x80\x99s or region\xe2\x80\x99s operations, but which is not an MA or GSS when viewed from an\n         agency perspective. Sensitive data may include individual Privacy Act3 information, law\n\n\n1\n  The Federal Information Security Management Act of 2002 was enacted on December 17, 2002, as part of the E-\n  Government Act of 2002 (Public Law 107-347), and replaces the Government Information Security Reform Act,\n  which expired in November 2002.\n2\n  The Government Information Locator Service identifies and describes information resources throughout the\n  Federal Government. It also describes how the public can obtain the information (an information locator).\n3\n  The Privacy Act of 1974 (5 U.S.C. \xc2\xa7 552a), As Amended, was enacted to balance the Government\xe2\x80\x99s need to\n  maintain information about individuals with the rights of individuals to be protected against unwarranted invasions\n  of their privacy resulting from the collection, maintenance, use, and disclosure of personal information. The\n  Privacy Act safeguards confidentiality by limiting or restricting disclosure of personally identifiable records\n  maintained by Federal agencies.\n\n\n                                                          1\n\x0c                                                                          Evaluation of NRC\xe2\x80\x99s AIS Inventory Process\n\n\n\n        enforcement sensitive information, sensitive contractual and financial information,\n        safeguards, and classified information.\n    \xe2\x80\xa2   Other \xe2\x80\x93 an NRC system that does not require additional security protections and is\n        adequately protected by the security provided by the NRC local area network/wide area\n        network. The Office of Information Services (OIS) and the system sponsor must first\n        jointly decide that the application is appropriately called a system and is to be included in\n        the NRC master inventory of systems.\n\nNRC AIS Inventories\n\nMD and Handbook 12.5, NRC Automated Information Security Program, assigns the NRC CIO\nresponsibility for developing and maintaining a master inventory of all agency systems. The\nidentification of all major information systems in the inventory must include an identification of\nthe interfaces between each system and all other systems and networks, including those not\noperated by or under the control of the agency.\n\nMD and Handbook 2.1, Information Technology Architecture, assigns the NRC CIO\nresponsibility for developing, maintaining, and implementing the NRC ITA.4 According to MD\nand Handbook 2.1, the ITA:\n\n    \xe2\x80\xa2   Ensures the integration and interoperability of technology in the NRC information\n        technology environment.\n    \xe2\x80\xa2   Reduces agency costs for data entry and maintenance; information technology\n        development, maintenance, and operation; and training and support.\n    \xe2\x80\xa2   Increases productivity by improving the quality of information and ensuring users have\n        easier access to information.\n\nThe NRC ITA is also intended to support other agency processes, such as information\ntechnology capital planning and investment control and information technology acquisitions.\nOne of the eight5 components of the ITA is a database of information technology systems,\nincluding databases used for change management, integration and retirement of legacy systems,\nand ITA compliance certification. The ITA database is used by NRC project managers and OIS\ntechnical staff to track the status of systems during their life cycles, plan system retirements, and\nreport on systems.\n\nInformation Technology Systems Security Tracking System (ITSSTS)\n\nITSSTS was created to meet the requirements outlined in MD and Handbook 12.5 for developing\nand maintaining a master inventory of all agency systems. ITSSTS is used to track information\n\n4\n  An ITA is an integrated framework for evolving or maintaining existing information technology and acquiring new\n  information technology to achieve the agency's strategic goals and information resources management goals (Title\n  40 U.S.C. \xc2\xa7 11315(a)). The term enterprise architecture is also used to describe an agency\xe2\x80\x99s ITA.\n5\n  The other seven components are the Enterprise Model, Strategic Data Model, Consolidated Data Model, Physical\n  Technology Architecture, Systems Development Life Cycle Methodology, Technical Reference Model, and Data\n  Administration Reference Manual.\n\n\n                                                        2\n\x0c                                                                Evaluation of NRC\xe2\x80\x99s AIS Inventory Process\n\n\n\non each MA and GSS, including the publication dates of relevant security documentation such as\nrisk assessments, security plans, contingency plans, security test and evaluation plans and\nreports, and certification and accreditation reports. ITSSTS is also used to track information on\nListed and Other systems. ITSSTS includes information on NRC AISs that are under\ndevelopment, operational, and no longer in use. NRC AISs that do not meet the criteria of a\nsystem as defined in MD and Handbook 12.5 are not tracked in ITSSTS. The OIS Program\nManagement, Policy Development, and Analysis Staff, Computer Security Team, maintains\nITSSTS.\n\nITSSTS includes the following types of information for each system:\n\n   \xe2\x80\xa2   Office \xe2\x80\x93 the NRC office that owns or sponsors the system.\n   \xe2\x80\xa2   System ID/System Name \xe2\x80\x93 the system\xe2\x80\x99s identifier (usually an acronym) and name.\n   \xe2\x80\xa2   Type \xe2\x80\x93 the system type (MA, GSS, L \xe2\x80\x93 Listed, O \xe2\x80\x93 Other, Sub \xe2\x80\x93 subsystem to another\n       system, eG \xe2\x80\x93 Electronic Government System).\n   \xe2\x80\xa2   System Status \xe2\x80\x93 current status of the system (Active, Inactive, Development, Retired,\n       Transitioned, and Unknown).\n   \xe2\x80\xa2   Comments \xe2\x80\x93 additional system information, typically a description of what the system\n       does.\n\nThe ITSSTS inventory provided by the agency on July 7, 2005, includes 501 individual systems.\n\nEnterprise Architecture Repository System (EARS)\n\nEARS was created approximately 1 \xc2\xbd years ago to meet the requirements outlined in MD and\nHandbook 2.1 and is one part of NRC\xe2\x80\x99s ITA. EARS includes information on NRC AISs that are\nunder development, operational, and no longer in use. Systems in EARS may not meet the\ncriteria for inclusion in ITSSTS. For example, a system may be tracked in EARS because of its\nrelationship to the NRC ITA; however, it may not meet the criteria for an NRC AIS as defined in\nMD and Handbook 12.5. The OIS Business Process Improvement and Applications Division,\nQuality Assurance and Technology Branch, is responsible for the ITA database.\n\nEARS includes the following types of information:\n\n   \xe2\x80\xa2   Office \xe2\x80\x93 the NRC office that owns or sponsors the system.\n   \xe2\x80\xa2   System Name/Full Name \xe2\x80\x93 the system\xe2\x80\x99s identifier (usually an acronym) and name.\n   \xe2\x80\xa2   Description \xe2\x80\x93 additional system information.\n   \xe2\x80\xa2   System ID \xe2\x80\x93 numeric identifier assigned to the system.\n   \xe2\x80\xa2   Status \xe2\x80\x93 current status of the system (Initial Concept, Planning, Full Acquisition, Steady\n       State, and Mixed Life Cycle) \xe2\x80\x93 this field is empty for almost all of the systems in EARS.\n\n\n\n\n                                                3\n\x0c                                                                             Evaluation of NRC\xe2\x80\x99s AIS Inventory Process\n\n\n\nThe EARS inventory provided by the agency on August 23, 2005 (dated August 17, 2005),\nincludes 404 individual systems.\n\n2          Purpose\n\nThe objective of this review was to evaluate NRC\xe2\x80\x99s process for maintaining an inventory of\nAISs.\n\n3          Findings\n\nCarson Associates evaluated NRC\xe2\x80\x99s AIS inventory process and found that:\n\n       \xe2\x80\xa2   Information in NRC AIS inventories is inaccurate and inconsistent.\n       \xe2\x80\xa2   NRC AIS inventory systems are not designed to capture all of the data needed to meet\n           FISMA requirements.\n\n3.1        Information in NRC AIS Inventories Is Inaccurate and Inconsistent\n\nMD and Handbook 12.5 require regional administrators, office directors, and system\nsponsors/owners to ensure that information systems sponsored by their offices are included in the\nagency\xe2\x80\x99s master inventory of all agency systems. They are required to work with the agency to\nupdate and revalidate the master inventory of systems on an annual basis.\n\nMD and Handbook 2.1 assign the CIO responsibility for establishing an agencywide data\nadministration program to promote data integrity and quality, including establishing data\nstewardship6 standards and practices. Regional administrators and office directors are\nresponsible for ensuring that office or regional business data are managed by office and regional\ndata stewards in conformance with NRC data administration policies, procedures, and standards.\n\nDespite the requirements outlined in MD and Handbooks 12.5 and 2.1 for maintaining AIS\ninventories, the information in NRC AIS inventories is inaccurate and inconsistent.\n\nInaccurate Information\n\nThe following are examples of inaccurate information found in ITSSTS and EARS.\n\n       \xe2\x80\xa2   Missing data. Many of the fields in both inventories contain no data. In some instances,\n           the only information is the system name, making it difficult to identify what the system is\n           used for.\n       \xe2\x80\xa2   Systems not assigned to an office. Both inventories include systems that are not\n           assigned to an office. Lack of an assigned office makes it difficult to get updated\n           information for that system. Carson Associates identified more than 30 systems that are\n           not assigned to an office.\n\n6\n    A data steward is an individual charged with monitoring and ensuring the accuracy, timeliness, and compliance of\n    a designated subset of NRC data with information technology standards.\n\n\n                                                           4\n\x0c                                                                             Evaluation of NRC\xe2\x80\x99s AIS Inventory Process\n\n\n\n\n    \xe2\x80\xa2    Variations in system name. Carson Associates identified at least five systems in the\n         two inventories that seem to be the same system, but have slight variations in the system\n         name. Since ITSSTS does not contain a system ID, it was difficult to determine whether\n         the two systems are actually the same system.\n    \xe2\x80\xa2    Duplicate systems. Both inventories contain multiple entries for what seem to be the\n         same systems. However, due to the lack of detailed information on these systems in the\n         inventories, Carson Associates could not determine if these entries represented duplicate\n         systems. There are approximately 18 systems in the AIS inventories with more than one\n         entry.\n    \xe2\x80\xa2    Errors in system status. Carson Associates identified over 100 systems that are either\n         retired, inactive, or were determined not to meet the criteria of a system. These systems\n         have a status of \xe2\x80\x9cActive\xe2\x80\x9d in ITSSTS. Most of these systems have no value in the \xe2\x80\x9cstatus\xe2\x80\x9d\n         field in EARS. In addition, EARS does not have a status value used to indicate a system\n         is no longer in use. Carson Associates also identified six systems marked as \xe2\x80\x9cRetired\xe2\x80\x9d\n         that, according to data provided by the system sponsor/owner, are still \xe2\x80\x9cActive.\xe2\x80\x9d\n    \xe2\x80\xa2    Errors in system type in ITSSTS. Carson Associates identified at least 35 systems in\n         ITSSTS categorized as \xe2\x80\x9cOther\xe2\x80\x9d that should be categorized as \xe2\x80\x9cListed.\xe2\x80\x9d MD and\n         Handbook 12.5 define a \xe2\x80\x9cListed\xe2\x80\x9d system as a computerized information system or\n         application that processes sensitive information requiring additional security protections.\n         As noted previously, sensitive data may include individual Privacy Act information, law\n         enforcement sensitive information, or sensitive contractual and financial information.\n         Carson Associates identified 11 systems that the sponsoring office identified as\n         containing sensitive data, and 1 system that the sponsoring office identified as a \xe2\x80\x9cListed\xe2\x80\x9d\n         system, but were categorized as \xe2\x80\x9cOther\xe2\x80\x9d in ITSSTS. Carson Associates also identified 26\n         systems that may be systems of record7 or duplicate systems of record8 that were\n         categorized as \xe2\x80\x9cOther\xe2\x80\x9d in ITSSTS. A system of records (or duplicate system of records)\n         contains information protected by the Privacy Act, and therefore, should be categorized\n         as a \xe2\x80\x9cListed\xe2\x80\x9d system.\n    \xe2\x80\xa2    System interfaces. In response to an FY 2003 FISMA independent evaluation\n         recommendation that the agency update the master inventory of systems, the agency\n         tasked a contractor to identify the interfaces for all systems under maintenance. The\n         results of this information collection were provided to the Enterprise Architecture group\n         (OIS Business Process Improvement and Applications Division, Quality Assurance and\n         Technology Branch) for input into the agency\xe2\x80\x99s ITA. Carson Associates reviewed the\n         system interface information collected by the contractor and found that it did not reflect\n         all interfaces for NRC MAs and GSSs. For example, the interface information did not\n         include interfaces between the Human Resources Management System and other NRC\n         AISs. Carson Associates also reviewed the interface information in EARS (ITSSTS does\n         not include interface information) and found that the interface information in EARS does\n\n7\n  A system of records is a group of Privacy Act records under the control of NRC from which information is\n  retrieved by the name of an individual or by an identifying number, symbol, or other identifier assigned to an\n  individual.\n8\n  A group of records that are similar to records contained in an NRC system of records. It need not contain all of the\n  records contained in the primary system.\n\n\n                                                          5\n\x0c                                                              Evaluation of NRC\xe2\x80\x99s AIS Inventory Process\n\n\n\n       not reflect the interface information gathered by the contractor in response to the FY\n       2003 FISMA independent evaluation, nor does it reflect all interfaces for NRC MAs and\n       GSSs.\n\nInconsistent Information\n\nThe following are examples of inconsistent information found in ITSSTS and EARS.\n\n   \xe2\x80\xa2   Systems in EARS but not in ITSSTS. Carson Associates identified 95 systems that\n       were in EARS but were not in ITSSTS. These systems may not meet the criteria for a\n       system as defined in MD and Handbook 12.5, and therefore would not be tracked in\n       ITSSTS. However, due to the lack of detailed information on these systems, Carson\n       Associates could not determine whether they should be tracked in ITSSTS.\n   \xe2\x80\xa2   Systems in ITSSTS but not in EARS. Carson Associates identified 192 systems that\n       were in ITSSTS but were not in EARS. Of the 192, 42 are for actual systems, 9 appear to\n       be dummy or temporary entries, and 141 are for standalone personal computers and\n       laptops used to process safeguards and/or classified information. Systems that meet the\n       criteria for a system and are tracked in ITSSTS are the types of systems that should also\n       be tracked in EARS. Standalone PCs and laptops that process safeguards and/or\n       classified information, which are considered to be Listed systems and that are tracked in\n       ITSSTS, may not need to be tracked in EARS as they are standalone systems and are not\n       part of the NRC ITA.\n   \xe2\x80\xa2   Inconsistent reporting of systems composed of multiple components. Some of the\n       systems in ITSSTS are composed of multiple components. In some cases, each\n       component is listed as a separate system on the inventory. For example:\n          - Four subsystems of the Reactor Program System (RPS) are listed as individual\n            systems in ITSSTS. However, not all RPS subsystems are listed. Carson\n            Associates identified at least nine additional RPS subsystems that are not included\n            in ITSSTS.\n          - Five subsystems of the Operations Center Information Management System are\n            listed as individual systems in ITSSTS.\n          - Nine systems owned by the Office of the Chief Financial Officer are subsystems\n            of the Fee Systems. However, they are reported as individual systems.\n       EARS has no mechanism for indicating a system is a subsystem.\n   \xe2\x80\xa2   Inconsistent reporting of \xe2\x80\x9cCodes.\xe2\x80\x9d NRC uses computer codes to evaluate thermal-\n       hydraulic conditions, fuel behavior, and reactor kinetics during various operating and\n       postulated accident conditions. Results from applying the codes support decisionmaking\n       for risk-informed activities, the review of licensees\xe2\x80\x99 codes and performance of audit\n       calculations, and the resolution of other technical issues. One office director inquired\n       about whether or not \xe2\x80\x9cCodes\xe2\x80\x9d should be included on the inventories. The office director\n       stated that in a previous exercise updating the NRC Enterprise Model Applications\n       Inventory, they were informed that \xe2\x80\x9cCodes\xe2\x80\x9d should not be included. However, some\n       offices included \xe2\x80\x9cCodes\xe2\x80\x9d on their inventory, and some indicated they should be removed.\n\n\n                                               6\n\x0c                                                                Evaluation of NRC\xe2\x80\x99s AIS Inventory Process\n\n\n\n\nProcedures for Maintaining and Updating AIS Inventories Are Inadequate\n\nInformation in the NRC AIS inventories is inaccurate and inconsistent because the procedures\nfor maintaining and updating AIS inventories are inadequate. Specifically, the agency (1) lacks\nprocedures for updating AIS inventories with information collected from office directors,\nregional administrators, and system sponsors/owners; (2) provides insufficient guidance to office\ndirectors, regional administrators, and system sponsors/owners when requesting information for\nthe AIS inventories; (3) lacks procedures for adding new systems to the AIS inventories; and (4)\nlacks procedures for updating information for systems already in the inventory. The lack of\nadequate procedures not only resulted in the inaccurate and inconsistent data, but also resulted in\nduplicative efforts for NRC offices.\n\nLack of Procedures for Updating AIS Inventories With Information Collected\n\nThe FY 2003 FISMA independent evaluation recommended that the agency update the master\ninventory of systems. To address this recommendation, the agency issued a ticket to all NRC\nheadquarters and regional offices to update their system inventory. This update request was\ncombined with a request for input on the cost for internal use software, in part to minimize the\nimpact on offices for duplicate data calls. The agency issued a memorandum on November 25,\n2003, describing the data call and stating that in the future, the agency would be issuing two data\ncalls per year to update/validate the data. The agency made subsequent data calls September 17,\n2004, and June 3, 2005.\n\nCarson Associates reviewed the data collected during the three data calls and found that neither\nEARS nor ITSSTS was updated with the data collected. For example, one office noted in its\nresponse to the 2004 data call that none of the updates provided in response to the previous\nyear\xe2\x80\x99s request were applied. Another office noted in response to the 2005 data call that three of\nthe systems assigned to their office had been transferred to another office in 1993, and that \xe2\x80\x9cit\nwould seem that after 12 years they should no longer show up\xe2\x80\x9d on our list. It should also be\nnoted that the agency is not meeting its commitment to conduct biannual data calls. Since the\nfirst data call in November 2003, the agency has only issued two more.\n\nWhile the agency has implemented procedures to gather the information required for the\ninventories, it has not developed procedures for making sure the information is actually entered\ninto the inventories. As a result, the inventories are not being updated annually as required by\nFISMA.\n\nInsufficient Guidance Provided on Information Required\n\nFor the 2003 data call, each office was provided with a single-page \xe2\x80\x9cvalidation report\xe2\x80\x9d for each\nsystem sponsored by that office. A sample of the 2003 validation report can be found in\nAppendix B. For the 2005 data call, each office was provided with a three-page validation\nreport. A sample of the 2005 validation report can be found in Appendix C. The offices were\nprovided little or no guidance on the information being requested. The following are examples\nof the insufficient guidance provided to office directors, regional administrators, and system\nsponsors/owners when requesting information for the AIS inventories.\n\n\n                                                 7\n\x0c                                                                         Evaluation of NRC\xe2\x80\x99s AIS Inventory Process\n\n\n\n\n      \xe2\x80\xa2   The 2003 data call asked for the \xe2\x80\x9cA-130 Type,\xe2\x80\x9d 9 and whether the system is one of the\n          following: MA, GSS, Listed, or Other. However, the 2003 data call provided no\n          guidance as to what A-130 Type means, what choices are valid for A-130 Type, and what\n          the relationship is between A-130 Type and the other information system types. The\n          2003 data call also provided no guidance on the implications of indicating \xe2\x80\x9cYes\xe2\x80\x9d for\n          sensitive. According to MD and Handbook 12.5, if a system contains sensitive data, then\n          the system is considered a \xe2\x80\x9cListed\xe2\x80\x9d system.\n      \xe2\x80\xa2   One office director responded to the 2003 data call with several questions pertaining to\n          the data call, including:\n               - Which fields need to be updated/completed (many of the fields do not apply to\n                 most systems)?\n               - What are the choices for the A-130 field (what does Other and Non-Tracked\n                 System mean)?\n               - Which systems need \xe2\x80\x9cApproval to Operate?\xe2\x80\x9d\n               - Can you define \xe2\x80\x9csystem\xe2\x80\x9d as far as what you want us to provide data?\n      \xe2\x80\xa2   One office responded to the 2004 data call with a question about systems on their\n          inventory that were actually subsets of a bigger system. The office asked for guidance on\n          how those \xe2\x80\x9csubsystems\xe2\x80\x9d should be reported. As noted earlier, Carson Associates found\n          several subsystems on the inventory, indicating that not enough guidance was provided\n          on how these subsystems should be reported.\n      \xe2\x80\xa2   The 2005 data call provided some guidance on the four system security categories found\n          on the validation report by providing a reference to MD and Handbook 12.5. However,\n          the 2005 data call did not provide any additional guidance, despite previous requests for\n          clarification on the information requested.\n      \xe2\x80\xa2   All three data calls request a list of interfacing systems, by System ID. However, the data\n          calls did not provide the entire list of NRC AISs and their System IDs. In addition, the\n          language used in the validation reports implies that only interfaces with other NRC AISs\n          need to be reported. FISMA and MD and Handbook 12.5 require all interfaces to be\n          included in the inventory, including interfaces with systems or networks not operated by\n          or under the control of the agency.\n\nLack of Procedures for Adding New Systems\n\nThe agency lacks procedures for adding new systems to the AIS inventories. For example,\nEARS contains an entry for the National Source Tracking System (NSTS), a new system\ncurrently under development. The agency was made aware of this system during the 2004 data\ncall, yet it was not included in the ITSSTS inventory provided to Carson Associates in July 2005.\nCarson Associates has subsequently learned that the NSTS is considered to be a Major\nApplication, and should be tracked in ITSSTS. Due to the lack of procedures for adding new\n\n9\n    Carson Associates assumes that A-130 refers to OMB Circular A-130, Management of Federal Resources, which\n    establishes policy for the management of Federal information resources.\n\n\n                                                        8\n\x0c                                                                           Evaluation of NRC\xe2\x80\x99s AIS Inventory Process\n\n\n\nsystems to the AIS inventories, NSTS was omitted from ITSSTS. Another system Carson\nAssociates identified in EARS but did not find in ITSSTS is EARS itself. EARS meets the\ncriteria of a system as defined in MD and Handbook 12.5, yet it was never added to ITSSTS as a\nsystem.\n\nLack of Procedures for Updating Information for Existing Systems\n\nThe agency also lacks procedures for updating information for systems already in the\ninventories, other than through the biannual data calls. As a result, systems that are no longer\nbeing used are still being reported as \xe2\x80\x9cActive.\xe2\x80\x9d Since the agency is currently issuing data calls\nonly annually, inactive systems could remain on the AIS inventories as \xe2\x80\x9cActive\xe2\x80\x9d for at least a\nyear. For example, one office reported in its response to the 2005 data call that three of its\nsystems were not year-2000 compatible and their use was discontinued at the end of 1999.\nHowever, since the agency lacks procedures for offices to follow when a system retires or is no\nlonger used, these systems were still being reported as active systems in the AIS inventories.\n\nAIS Inventories Cannot Support Intended Functions\n\nAs stated previously, FISMA requires development of an inventory of major information\nsystems that shall be used to support five areas of information resources management. However,\nas a result of inaccurate and inconsistent data in the AIS inventories, the agency lacks a complete\nunderstanding of what AISs are currently in use, and therefore cannot support two of the five\nareas of information resources management specified by FISMA. Without knowing what\ninformation technology is in place, the agency cannot adequately plan, budget, acquire, and\nmanage information technology. The agency also cannot adequately monitor, test, and evaluate\nsecurity controls for AISs as required by FISMA.\n\nAIS Inventories Cannot Support Information Technology Planning, Budgeting,\nAcquisition, and Management\n\nFISMA specifies the inventory shall be used to support information technology planning,\nbudgeting, acquisition, and management under section 3506(h) of title 44, title III of title 40, and\nrelated laws and guidance. These statutes require agencies to design and implement a process for\nmaximizing the value, and assessing and managing the risks, of agency information technology\nacquisitions. Agency programs supporting these statutes include the capital planning and\ninvestment control process and the agency ITA.\n\nAn important aspect of the capital planning and investment control process is the integration of\ninformation technology security. National Institute of Standards and Technology (NIST) Special\nPublication (SP) 800-65, Integrating IT Security into the Capital Planning and Investment\nControl Process, dated January 2005, provides a systematic approach to selecting, managing,\nand evaluating information technology security investments. NIST SP 800-65 describes the\ncreation of a system inventory as a key aspect of Stage Two (building the investment foundation)\nof the Information Technology Investment Management (ITIM) maturity framework.10 The\n\n10\n     The ITIM maturity framework is a five-stage model, developed by the Government Accountability Office, for\n     assessing the maturing of agencies\xe2\x80\x99 investment management practices.\n\n\n                                                          9\n\x0c                                                                Evaluation of NRC\xe2\x80\x99s AIS Inventory Process\n\n\n\nsystem inventory ensures the agency can identify cost, benefit, schedule, risk, and investment\nownership information and review investment performance accordingly.\n\nNIST SP 800-65 further states that both FISMA and the ITIM framework require the\ndevelopment of a system inventory. The system inventory is a cornerstone of the ITIM\nframework and also relates directly to investment security concerns. NIST recommends that\nagencies work to build a single system inventory that meets the requirements of both the ITIM\nframework and FISMA.\n\nMD and Handbook 2.1 include an exhibit that shows how each ITA component is used during\nthe applications system life cycle. The ITA database is intended to support the following life\ncycle phases:\n\n   \xe2\x80\xa2   Planning \xe2\x80\x93 to see if a system already exists; plan for integration and retirement.\n   \xe2\x80\xa2   Acquisition \xe2\x80\x93to ensure acquisitions integrate with existing systems.\n   \xe2\x80\xa2   Development \xe2\x80\x93 to track the status of developing new systems.\n   \xe2\x80\xa2   Operations and Maintenance \xe2\x80\x93 to track and report on current systems.\n   \xe2\x80\xa2   Decommissioning \xe2\x80\x93 to plan system retirements.\n\nHowever, neither ITSSTS nor EARS can be used to support information technology planning,\nbudgeting, acquisition, and management as described in Federal statutes and MD and Handbook\n2.1, because both inventories contain inaccurate data. For example, the first step in planning a\nnew information technology acquisition is to determine whether the agency already has a system\nthat provides the functions sought from the new system. This step cannot be performed if the\nagency does not have an accurate inventory of systems already in use, including specifics on\nwhat functions those systems provide.\n\nAIS Inventories Cannot Support Monitoring, Testing, and Evaluation of Information\nSecurity Controls\n\nFISMA also states the inventory shall be used to support monitoring, testing, and evaluating\ninformation security controls. FISMA requires agencies to periodically test and evaluate\ninformation security controls and techniques for the information and information systems that\nsupport the agency to ensure that they are effectively implemented. This requirement includes\ntesting of management, operational, and technical controls of every information system\nidentified in the inventory required by FISMA. MD and Handbook 12.5 define the security\ncontrols required for each of the four categories of AISs. However, the agency cannot monitor,\ntext, and evaluation information security controls if it does not have an accurate inventory of\nsystems in use.\n\nRECOMMENDATIONS\n\n   The Office of the Inspector General recommends that the Executive Director for Operations:\n\n   1. Correct the inaccuracies in the AIS inventories.\n\n\n                                                10\n\x0c                                                                  Evaluation of NRC\xe2\x80\x99s AIS Inventory Process\n\n\n\n      2. Validate the information in the AIS inventories annually.\n      3. Provide guidance on the type of information required from the office directors, regional\n         administrators, and system owners/sponsors when providing AIS inventory updates.\n      4. Develop and implement procedures for adding new systems to the AIS inventories.\n      5. Develop and implement procedures for notifying OIS of changes in system information\n         in the AIS inventories.\n      6. Develop and implement procedures for recording system information for systems that are\n         composed of multiple components.\n\n3.2       NRC AIS Inventory Systems Are Not Designed To Capture All of the Data\n          Needed To Meet FISMA Requirements\n\nAs stated previously, FISMA requires development of an inventory of major information\nsystems that shall be used to support five areas of information resources management. However,\nneither ITSSTS nor EARS were designed to capture all of the data needed to fully meet these\nrequirements. Specifically:\n\n      \xe2\x80\xa2   Only one inventory system captures the data needed to indicate which systems include\n          Privacy Act data.\n      \xe2\x80\xa2   Neither inventory system captures the data needed to support other information resources\n          management functions required by FISMA.\n\nAs a result, NRC AIS inventory systems do not meet FISMA requirements.\n\nOnly One Inventory System Indicates Which Systems Include Privacy Act Data\n\nMD and Handbook 12.5 state that effective privacy protections are essential to all NRC AISs,\nespecially those that contain substantial amounts of personally identifiable information. The use\nof new information technologies should sustain, and not erode, the privacy protections provided\nin all statutes and policies relating to the collection, use, and disclosure of personal information.\nHowever, only one inventory system captures the data needed to indicate which systems include\nPrivacy Act data, i.e., which systems are electronic systems of records and which systems are\nduplicate systems of records. In addition, not all systems that include Privacy Act data are\ncorrectly identified in that inventory system. The agency cannot provide effective privacy\nprotections, and cannot test and evaluate those protections, if it cannot identify which systems\ncontain Privacy Act data.\n\nOther Information Resources Management Functions\n\nIn addition to (1) information technology planning, budgeting, acquisition, and management and\n(2) monitoring, testing and evaluation of information security controls, FISMA identifies three\nother information resources management areas that shall be supported by the inventory:\n\n\n\n\n                                                  11\n\x0c                                                                              Evaluation of NRC\xe2\x80\x99s AIS Inventory Process\n\n\n\n\n       \xe2\x80\xa2    Preparation and maintenance of the inventory of information resources required to\n            support the Government Information Locator Service.\n       \xe2\x80\xa2    Preparation of the index of major information systems required under the Freedom of\n            Information Act.\n       \xe2\x80\xa2    Preparation of information system inventories required for records management.\n\nNeither EARS not ITSSTS captures the data needed to support these areas of information\nresources management. For example, neither inventory system captures the data necessary to\nidentify an AIS as an electronic records system.11\n\nRECOMMENDATION\n\n       The Office of the Inspector General recommends that the Executive Director for Operations:\n\n       7. Modify the AIS inventory systems to capture all of the data needed to meet FISMA\n          requirements.\n\n\n\n\n11\n     An electronic records system is any information system that produces, manipulates, or stores Federal records by\n     use of a computer.\n\n\n                                                           12\n\x0c                                                               Evaluation of NRC\xe2\x80\x99s AIS Inventory Process\n\n\n\n4      Consolidated List of Recommendations\n\nThe Office of the Inspector General recommends that the Executive Director for Operations:\n\n    1. Correct the inaccuracies in the AIS inventories.\n    2. Validate the information in the AIS inventories annually.\n    3. Provide guidance on the type of information required from the office directors, regional\n       administrators, and system owners/sponsors when providing AIS inventory updates.\n    4. Develop and implement procedures for adding new systems to the AIS inventories.\n    5. Develop and implement procedures for notifying OIS of changes in system information\n       in the AIS inventories.\n    6. Develop and implement procedures for recording system information for systems that are\n       composed of multiple components.\n    7. Modify the AIS inventory systems to capture all of the data needed to meet FISMA\n       requirements.\n\n\n\n\n                                               13\n\x0c                                                              Evaluation of NRC\xe2\x80\x99s AIS Inventory Process\n\n\n\n5      OIG Response to Agency Comments\n\nOIG provided this report in draft to agency officials and discussed its content at an exit\nconference on September 21, 2005. We modified the report as we determined appropriate in\nresponse to our discussion. Agency officials generally agreed with the report\xe2\x80\x99s findings and\nrecommendations and opted not to include formal comments.\n\n\n\n\n                                               14\n\x0c                                                                                  Appendix A \xe2\x80\x93 Scope and Methodology\n                                                                              Evaluation of NRC\xe2\x80\x99s AIS Inventory Process\n\n\nSCOPE AND METHODOLOGY\n\nThe scope of this report only includes inventories, and the systems used to maintain them, that\nthe agency uses to track information about NRC AISs. This report does not address other types\nof inventories maintained by the agency or inventory systems used at the agency. For example,\nthe Division of Administrative Services within the Office of Administration manages the\nProperty and Supply System (PASS), which accounts for non-capitalized equipment.12 While\nPASS may include information about the information technology equipment, such as servers,\nused to support NRC AISs, it does not include information about the AISs themselves.\nTherefore, PASS was not included within the scope of this evaluation.\n\nTo perform the evaluation of NRC\xe2\x80\x99s AIS inventory process, Carson Associates met with OIS\nstaff responsible for maintaining ITSSTS and EARS. Carson Associates also compared the data\nin ITSSTS and EARS, based on inventories provided by the agency.\n\nThe work was conducted from July 2005 to August 2005 in accordance with guidelines from the\nNational Institute of Standards and Technology, and best practices for evaluating security\ncontrols. Jane Laroussi, CISSP, from Carson Associates conducted the work.\n\n\n\n\n12\n      Non-capitalized equipment represents NRC property (either in the agency\xe2\x80\x99s possession or contractor-held) with an\n     initial acquisition cost of less than $50,000. This includes information technology equipment.\n\n\n                                                           15\n\x0c                                  Appendix A \xe2\x80\x93 Scope and Methodology\n                              Evaluation of NRC\xe2\x80\x99s AIS Inventory Process\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              16\n\x0c           Appendix B \xe2\x80\x93 2003 Validation Report\n     Evaluation of NRC\xe2\x80\x99s AIS Inventory Process\n\n\n\n\n17\n\x0c                                    Appendix B \xe2\x80\x93 2003 Validation Report\n                              Evaluation of NRC\xe2\x80\x99s AIS Inventory Process\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              18\n\x0c           Appendix C \xe2\x80\x93 2005 Validation Report\n     Evaluation of NRC\xe2\x80\x99s AIS Inventory Process\n\n\n\n\n19\n\x0c           Appendix C \xe2\x80\x93 2005 Validation Report\n     Evaluation of NRC\xe2\x80\x99s AIS Inventory Process\n\n\n\n\n20\n\x0c           Appendix C \xe2\x80\x93 2005 Validation Report\n     Evaluation of NRC\xe2\x80\x99s AIS Inventory Process\n\n\n\n\n21\n\x0c                                    Appendix C \xe2\x80\x93 2005 Validation Report\n                              Evaluation of NRC\xe2\x80\x99s AIS Inventory Process\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              22\n\x0c"